Solved

domain time not syncing

Posted on 2013-05-23
4
665 Views
Last Modified: 2013-05-27
i have a single domain with 3 sites.  everything is working fine except that at site 2 the time on the local domain controller will not sync with the PDC at site 1.

each site has it's own domain controller. site 1 is connected to site 2 via private line.  site 1 is connected to site 3 via VPN at our firewalls.  site 2 and 3 cannot communicate directly.

users on the domain at site 2 are pulling incorrect time from the DC at site 2.  on the DC at site 2 a w32tm /monitor recognizes a time mismatch between it and the PDC at site 1, but a resync does not fix the issue.

i went ahead and added the PDC at site 1 as a manually added peer, but resyncing still does not fix the issue...

to temporarily fix the issue i did a net time \\DC@site1 /set.  i've had to do this twice within the last 3 months.  any ideas why the DC at site 2 is not pulling time correctly?  i've checked and UDP traffic on port 123 is allowed across our private link, so its not a traffic/routing/networking issue.

many thanks in advance.
0
Comment
Question by:j_haff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
ID: 39193558
you need to set up windows time settings to sort this out so that resync happens automatically

you can use WMI filtering to automatically move the Time settings around

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

then add the additional settings to control how often it syncs and where from

On the PDC add these settings to the policy (where GPS External is a dns record pointing at an external time source, this could also be pool.ntp.org or something similar)

System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer GPSEXTERNAL,0x1
Type NTP
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 900
EventLogFlags 3


 on the default DC policy
System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer time.windows.com,0x9
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 1
 

i use the following in both to control the correction

System/Windows Time Servicehide
Policy Setting Comment
Global Configuration Settings Enabled  
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 50000000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 172800
MaxPosPhaseCorrection 172800
PhaseCorrectRate 7
PollAdjustFactor 5
SpikeWatchPeriod 900
UpdateInterval 100
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 10
MinPollInterval 6
ChainEntryTimeout 16
ChainMaxEntries 128
ChainMaxHostEntries 4
ChainDisable 0
ChainLoggingRate 30
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39193560
to run through the checking you can do some of the following

setup debugging on window time

http://support.microsoft.com/kb/816043

this will create log files and you can tell if its pulling the time from the right place

w32tm /query /status to see what its doing

then
w32tm /monitor /computers:dc2.domain.com,DC01.domain.com (It will show the offset by comparing with your PDC)

or with a nice easy display

w32tm /stripchart /computer:<remote computer>
0
 

Expert Comment

by:userPrincipalName
ID: 39195071
It should be pointed out the Announce Flags on your PDCe should be set to 5.  All other DCs should be set to 10.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39197917
Also, how far out of time are they?

MaxAllowedPhaseOffset 300

This means they will not synch unless they are +/- 5 minutes out of synchronization.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question